Bug#924939: stretch-pu: package runc/0.1.1+dfsg1-2+deb9u1

[Shengjing Zhu]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

This includes patch for CVE-2019-5736.

As discussed with security-team, there's no urgency to go through
scurity-upload. So let's fix it through stable-proposed-updates.

-- 
Shengjing Zhu
diff -Nru runc-0.1.1+dfsg1/debian/changelog runc-0.1.1+dfsg1/debian/changelog
--- runc-0.1.1+dfsg1/debian/changelog   2017-02-01 23:17:54.0 +0800
+++ runc-0.1.1+dfsg1/debian/changelog   2019-03-19 00:50:07.0 +0800
@@ -1,3 +1,10 @@
+runc (0.1.1+dfsg1-2+deb9u1) stretch; urgency=medium
+
+  * Team upload.
+  * Add patch to address CVE-2019-5736 (Closes: #922050)
+
+ -- Shengjing Zhu   Tue, 19 Mar 2019 00:50:07 +0800
+
 runc (0.1.1+dfsg1-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru runc-0.1.1+dfsg1/debian/patches/CVE-2019-5736.patch 
runc-0.1.1+dfsg1/debian/patches/CVE-2019-5736.patch
--- runc-0.1.1+dfsg1/debian/patches/CVE-2019-5736.patch 1970-01-01 
08:00:00.0 +0800
+++ runc-0.1.1+dfsg1/debian/patches/CVE-2019-5736.patch 2019-03-19 
00:50:07.0 +0800
@@ -0,0 +1,572 @@
+From: Shengjing Zhu 
+Date: Sun, 10 Mar 2019 17:47:46 +0800
+Subject: CVE-2019-5736
+
+Backport upstream patches for CVE-2019-5736
+
+Fix in nsexec.c is adjusted to current version
+
+Include commits:
+2d4a37b427167907ef2402586a8e8e2931a22490 nsenter: cloned_binary: userspace 
copy fallback if sendfile fails
+16612d74de5f84977e50a9c8ead7f0e9e13b8628 nsenter: cloned_binary: try to 
ro-bind /proc/self/exe before copying
+af9da0a45082783f6005b252488943b5ee2e2138 nsenter: cloned_binary: use the runc 
statedir for O_TMPFILE
+2429d59352b81f6b9cc79b5ed26780c5fe6ba4ec nsenter: cloned_binary: expand and 
add pre-3.11 fallbacks
+5b775bf297c47a6bc50e36da89d1ec74a6fa01dc nsenter: cloned_binary: detect and 
handle short copies
+bb7d8b1f41f7bf0399204d54009d6da57c3cc775 nsexec (CVE-2019-5736): avoid parsing 
environ
+0a8e4117e7f715d5fbeef398405813ce8e88558b nsenter: clone /proc/self/exe to 
avoid exposing host binary to container
+
+Bug-Debian: https://bugs.debian.org/922050
+---
+ libcontainer/nsenter/cloned_binary.c | 516 +++
+ libcontainer/nsenter/nsexec.c|   8 +
+ 2 files changed, 524 insertions(+)
+ create mode 100644 libcontainer/nsenter/cloned_binary.c
+
+diff --git a/libcontainer/nsenter/cloned_binary.c 
b/libcontainer/nsenter/cloned_binary.c
+new file mode 100644
+index 000..b410e29
+--- /dev/null
 b/libcontainer/nsenter/cloned_binary.c
+@@ -0,0 +1,516 @@
++/*
++ * Copyright (C) 2019 Aleksa Sarai 
++ * Copyright (C) 2019 SUSE LLC
++ *
++ * Licensed under the Apache License, Version 2.0 (the "License");
++ * you may not use this file except in compliance with the License.
++ * You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++#define _GNU_SOURCE
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++#include 
++
++/* Use our own wrapper for memfd_create. */
++#if !defined(SYS_memfd_create) && defined(__NR_memfd_create)
++#  define SYS_memfd_create __NR_memfd_create
++#endif
++/* memfd_create(2) flags -- copied from . */
++#ifndef MFD_CLOEXEC
++#  define MFD_CLOEXEC   0x0001U
++#  define MFD_ALLOW_SEALING 0x0002U
++#endif
++int memfd_create(const char *name, unsigned int flags)
++{
++#ifdef SYS_memfd_create
++  return syscall(SYS_memfd_create, name, flags);
++#else
++  errno = ENOSYS;
++  return -1;
++#endif
++}
++
++
++/* This comes directly from . */
++#ifndef F_LINUX_SPECIFIC_BASE
++#  define F_LINUX_SPECIFIC_BASE 1024
++#endif
++#ifndef F_ADD_SEALS
++#  define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9)
++#  define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10)
++#endif
++#ifndef F_SEAL_SEAL
++#  define F_SEAL_SEAL   0x0001/* prevent further seals from being set 
*/
++#  define F_SEAL_SHRINK 0x0002/* prevent file from shrinking */
++#  define F_SEAL_GROW   0x0004/* prevent file from growing */
++#  define F_SEAL_WRITE  0x0008/* prevent writes */
++#endif
++
++#define CLONED_BINARY_ENV "_LIBCONTAINER_CLONED_BINARY"
++#define RUNC_MEMFD_COMMENT "runc_cloned:/proc/self/exe"
++#define RUNC_MEMFD_SEALS \
++  (F_SEAL_SEAL | F_SEAL_SHRINK | F_SEAL_GROW | F_SEAL_WRITE)
++
++static void *must_realloc(void *ptr, size_t size)
++{
++  void *old = ptr;
++  do {
++  ptr = realloc(old, size);
++  } while(!ptr);
++  return ptr;
++}
++
++/*
++ * Verify whether we are currently in a self-cl

Bug#924939: stretch-pu: package runc/0.1.1+dfsg1-2+deb9u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Tue, 2019-03-19 at 01:11 +0800, Shengjing Zhu wrote:
> This includes patch for CVE-2019-5736.
> 
> As discussed with security-team, there's no urgency to go through
> scurity-upload. So let's fix it through stable-proposed-updates.
> 

Please go ahead.

Regards,

Adam

Bug#924939: stretch-pu: package runc/0.1.1+dfsg1-2+deb9u1

[Shengjing Zhu]

On Sun, Apr 14, 2019 at 5:01 AM Adam D. Barratt
 wrote:
>
> Control: tags -1 + confirmed
>
> On Tue, 2019-03-19 at 01:11 +0800, Shengjing Zhu wrote:
> > This includes patch for CVE-2019-5736.
> >
> > As discussed with security-team, there's no urgency to go through
> > scurity-upload. So let's fix it through stable-proposed-updates.
> >
>
> Please go ahead.
>

Uploaded.

-- 
Shengjing Zhu

Processed: Re: Bug#924939: stretch-pu: package runc/0.1.1+dfsg1-2+deb9u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #924939 [release.debian.org] stretch-pu: package runc/0.1.1+dfsg1-2+deb9u1
Added tag(s) confirmed.

-- 
924939: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924939
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems